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Abstract 

O)  'Tft  V 

JW^present  an  interval-based  temporal  logic  that  permits  the  rigorous  specifica¬ 
tion  of  a  variety  of  hardware  components  and  facilitates  describing  properties  such 
as  correctness  of  implementation.  Conceptual  levels  of  circuit  operation  ranging 
from  detailed  quantitative  timing  and  signal  propagation  up  to  functional  behavior 
are  integrated  in  a  unified  way. 

After  giving  some  motivation  for  reasoning  about  hardware,  we  present  the 
propositional  and  first-order  syntax  and  semantics  of  the  temporal  logic.  In  addition 
we  illustrate  techniques  for  describing  signal  transitions  as  well  as  for  formally 
specifying  and  comparing  a  number  of  delay  models.  Throughout  the  discussion, 
the  formalism  provides  a  means  for  examining  such  concepts  as  device  equivalence 
and  internal  states. 
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§1  Introduction 


Computer  systems  continue  to  grow  in  complexity  and  the  distinctions  between 
hardware  and  software  keep  on  blurring.  Out  of  this  has  come  an  increasing 
awareness  of  the  need  for  behavioral  models  suited  for  specifying  and  reasoning 
about  both  digital  devices  and  programs.  Contemporary  hardware  description 
languages  (for  example  [1,22,29]}  are  not  sufficient  because  of  various  conceptual 
limitations: 


•  Most  such  tools  are  intended  much  more  for  simulation  than  for  math¬ 
ematically  sound  reasoning  about  digital  systems. 

•  Difficulties  arise  in  developing  circuit  specifications  that  out  of  necessity 
must  refer  to  different  levels  of  behavioral  abstraction. 

•  Existing  formal  tools  for  such  languages  are  in  general  too  restrictive  to 
deal  with  the  inherent  parallelism  of  circuits. 

The  logic  presented  in  this  paper  overcomes  these  problems  and  unifies  in  a 
single  notation  digital  circuit  behavior  that  is  generally  described  by  means  of  the 
following  techniques: 

•  Register  transfer  operations 

•  Flowgraphs  and  transition  tables 

•  Tables  of  functions 

•  Timing  diagrams 

•  Schematics  and  block  diagrams 


Using  the  formalism,  we  can  describe  and  reason  about  qualitative  and  quantita¬ 
tive  properties  of  signal  stability,  delay  and  other  fundamental  aspects  of  circuit 
operation. 


We  develop  an  extension  of  linear-time  temporal  logic  [18,25]  based  on  intervals. 
The  behavior  of  programs  and  hardware  devices  can  often  be  decomposed  into—”1 
successively  smaller  periods  or  intervals  of  activity.  These  intervals  provide  a  * 
convenient  framework  for  introducing  quantitative  timing  details.  State  transitions  l 
can  be  characterised  by  properties  relating  the  initial  and  final  values  of  variables  l 
over  intervals  of  time.  In  fact,  we  feel  that  interval- based  temporal  logic  provide 
a  sufficient  basis  for  directly  describing  a  wide  range  of  devices  and  programs-  Fc 
our  purposes,  the  distinctions  made  in  dynamic  logic  [10,24]  and  process  logic  [6] 
between  programs  and  propositions  seem  unnecessary.  * 

o  !*lct  N.,.. . ' 


The  temporal  logic’s  applicability  is  not  limited  to  the  goals  of  computer- 
assisted  verification  and  synthesis  of  circuits.  This  type  of  notation,  with  ap¬ 
propriate  “syntactic  sugar,”  can  provide  a  fundamental  and  rigorous  basis  for  com¬ 
municating,  reasoning  or  teaching  about  the  behavior  of  digital  devices,  computer 
programs  and  other  discrete  systems.  Moszkowski  [20,21]  has  applied  it  to  describ¬ 
ing  and  comparing  devices  ranging  from  delay  elements  up  to  a  clocked  multiplier 
and  the  Am2901  ALU  bit  slice  developed  by  Advanced  Micro  Devices,  Inc.  Temporal 
logic  also  provides  a  basic  framework  for  exploring  the  computational  complexity 
of  reasoning  about  time.  Simulation-based  languages  can  perhaps  use  such  a  for¬ 
malism  as  a  vehicle  for  describing  the  intended  semantics  of  delays  and  other  fea¬ 
tures.  Manna  and  Moszkowski  [17]  show  how  temporal  logic  can  itself  serve  as  a 
programming  language. 

§2  Propositional  Temporal  Logic  with  Intervals 

We  first  present  the  propositional  part  of  the  temporal  logic;  this  provides  a 
basis  for  the  first-order  part. 

Syntax 

The  propositional  temporal  logic  consists  of  propositional  logic  with  the  addi¬ 
tion  of  modal  constructs  to  reason  about  intervals  of  time. 

Formulas  are  built  inductively  out  of  the  following: 

•  Propositional  variables: 

•  Logical  connectives:  ~'W  and  uii  a  11*2,  where  w,  w%  and  103  are  formulas. 

•  Next:  Ow  (read  “next  tv”),  where  w  is  a  formula. 

•  Semicolon:  w\ ;  tva  (read  semicolon  W3”  or  “tt»i  followed  by  u/3”),  where  ti/i 
and  tea  are  formulas. 

Models 

Our  logic  can  be  viewed  as  linear- time  temporal  logic  with  the  addition  of 
the  “chop”  operator  of  process  logic  [6,11].  The  truth  of  variables  depends  not 
on  states  but  on  intervals.  A  model  is  a  pair  (E,  M)  consisting  of  a  set  of  states 
E  *1,1,...  together  with  an  interpretation  H  mapping  each  propositional  variable 
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P  and  nonempty  interval  «o-  ••*»»£  £+  to  a  some  truth  value  In  what 

follows,  we  assume  E  is  fixed. 

The  length  of  an  interval  «o- .  •  «n  is  n.  An  interval  consisting  a  single  state  has 
length  0.  It  is  possible  to  permit  infinite  intervals  although  for  simplicity  we  will 
omit  them  here.  An  interval  can  also  be  thought  of  as  the  sequence  of  states  of  a 
computation.  In  the  language  of  Chandra  et  al.  [6],  our  logic  is  “non-local"  with 
intervals  corresponding  to  “paths.” 

Interpretation  of  Formulas 

We  now  extend  the  meaning  function  M  to  arbitrary  formulas: 

•  =  true  iff  =  false 

The  formula  ->tu  is  true  in  an  interval  iff  w  is  false. 

•  a  tt/2|  =  true  iff  In'll  =  true  and  IwjJ  =  true 

The  conjunction  tvi  a  twa  is  true  in  sq.  . .  sn  iff  wi  and  102  are  both  true. 

•  ■M«o-..«„IC)  ti>]J  =  true  iff  n  >  1  and  M, ,...*„[[«;])  =  true 

The  formula  Ow  is  true  in  an  interval  so...an  iff  w  is  true  in  the  subinterval 
s\. . .  en.  If  the  original  interval  has  length  0,  then  O  w  is  false. 

•  •*<«•...«,,  |wi;ivs]  =  true  iff  =  true  and  Iwa]|  —  true, 

for  some  *,  0  <  *  <  n. 

Given  an  interval  bq.  • .  an,  the  formula  w\)V) 2  is  true  if  there  is  at  least  one  way 
to  divide  the  interval  into  two  adjacent  subintervals  «o*  •  •  *•  and  a,. . .  *„  such  that 
the  formula  wi  is  true  in  the  first  one,  so*  •  •  <•>  and  the  formula  u>a  is  true  in  the 
second,  s^. . .  Sy^. 

A  formula  w  is  satisfied  by  a  pair  (Af,  «o*  •  •  *n)  iff 

•M«0...*nttWl  =  trUC 

This  is  denoted  as  follows: 

(M,3Q...Sn)*Vt. 

If  all  pairs  of  M  and  so. . .  sn  satisfy  w  then  w  is  valid,  written  t  w. 

§3  Expressing  Temporal  Concepts  in  the  Propositional  Logic 

We  illustrate  the  temporal  logic’s  descriptive  power  by  giving  a  variety  of  useful 
temporal  concepts.  The  connectives  ->  and  a  clearly  suffice  to  express  other  basic 
logical  operators  such  as  v  and  =. 
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Examining  Subinterval* 


For  a  formula  w  and  an  interval  *o. . .  sn,  the  construct  ❖  iv  is  true  if  to  is  true 
in  at  least  one  subinterval  . .  sj  contained  within  «o-  •  •  *n  and  possibly  the  entire 
interval  sq.  •  •  *»  itself.  Note  that  the  Ma”  in  simply  stands  for  "any”  and  is  not 
a  variable. 

=  true  iff  =  true,  for  some  0  <  *  <  j  <  n 

Similarly,  the  formula  0u>  is  true  if  the  formula  u»  itself  is  true  in  all  subintervals 
of  *0'  *  *  ^na 

IQ  «|  —  *rtte  iff  ■M«<...,t<|[u/]j  =  true,  for  all  0  <  *  <  j  <  n 
These  constructs  can  be  expressed  as  follows: 

❖  to  =  (true;  w;  true) 

□  to  =  ->  ^  ->w 

Because  semicolon  is  associative,  the  definition  of  is  unambiguous.  Together, 
❖  and  0  fulfill  all  the  axioms  of  the  modal  system  S4  [12],  with  interpreted  as 
possibly  and  0  as  necessarily. 

Initial  and  Terminal  Subintervals 

For  a  given  interval  «o-  •  •  «n  the  operators  and  0  are  similar  to  and  0 
but  only  look  at  initial  subintervals  of  the  form  sq.  . .  s,-  for  i  <  n.  We  can  express 
O  w  and  IDivas  shown  below: 


O  w  =  (tu;  true) 

m  \jj  =s  -i  ^  ~'W 

For  example,  the  formula  CD(P  a  Q)  is  true  on*  an  interval  if  P  and  Q  are  both  true 
in  all  initial  subintervals.  The  connectives  <$>  and  0  refer  to  terminal  subintervals 
of  the  form  «*. . .  sn  and  are  expressed  as  follows: 

❖  u>  s  (true;  to) 

0  W  s  ■>  ^  i| if 

Both  pairs  of  operators  satisfy  the  axioms  of  S4.  The  operators  ❖  and  0  correspond 
directly  to  O  and  □  in  linear-time  temporal  logic  [18]. 


The  Yield i  Operator 

It  Is  often  desirable  to  say  that  within  an  interval  sQ. . .  an  whenever  some 
formula  w\  is  true  in  any  initial  subinterval  sq.  . . then  another  formula  is 
true  in  the  corresponding  terminal  interval  . .  an  for  any  t,  0  <  t  <  n.  We  say 
that  yields  to3  and  denote  this  by  the  formula  v>i  ^  wj: 

fu/i  waf  =  true 

iff  =  *rut  in^pH®8  ~  true,  for  all  0  <  *  <  n 

The  yields  operator  can  be  viewed  as  ensuring  that  no  counterexample  of  the  form 
wi)  -103  exists  in  the  interval: 

(tui  tuj)  =  -'Wi) 

This  is  similar  to  interpreting  the  implication  wj  =>  W2  as  the  formula  a  ''Wj). 
Temporal  Length 

The  construct  empty  checks  whether  an  interval  has  length  0: 

Mao...*»ttemP<vll  =  true  iff  n  —  0 

Similarly,  the  construct  skip  checks  whether  the  interval’s  length  is  exactly  1: 

—  irut  iff  n  =  1 

These  operators  are  expressible  as  shown  below: 

empty  =  ->  O  true 
skip  =  O  empty 

Combinations  of  the  operators  skip  and  semicolon  can  be  used  to  test  for  intervals 
of  some  fixed  length.  For  example,  the  formula 

skip;  skip ;  skip 

is  true  exactly  for  intervals  of  length  3.  Alternatively,  the  connective  next  suffices: 

OOO  empty 
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Initial  and  Final  States 

The  construct  beg  w  tests  if  a  formula  w  is  true  in  an  interval's  starting  state: 

—  MM 

The  connective  beg  can  be  expressed  as  follows: 


beg  w  =  <$>(empty  a  tu) 


This  checks  that  w  holds  for  an  initial  subinterval  of  length  0,  i.e.,  at  the  interval’s 
first  state.  By  analogy,  the  final  state  can  be  examined  by  the  operator  fin  w: 


fin  w  =  <$>(empty  a  tv) 

This  checks  that  w  holds  for  a  terminal  subinterval  of  length  0,  i.e.,  at  the  interval’s 
final  state. 


§4  Some  Complexity  Results 

We  prove  that  satisfiability  for  arbitrary  propositional  formulas  is  undecidable 
but  demonstrate  the  decidability  of  a  useful  subset. 

Theorem:  Satisfiability  for  propositional  temporal  logic  with  semicolon  is  undecid¬ 
able. 

Chandra  et  al.  [6]  show  that  satisfiability  for  process  logic  with  an  operator  called 
chop  is  undecidable.  Our  semicolon  construct  acts  like  chop  and  therefore  our 
theorem  strengthens  their  result  since  we  do  not  require  programs  in  order  to  obtain 
undecidability. 

If  we  restrict  all  propositional  variables  to  be  local  (that  is,  each  propositional 
variable  P  is  true  of  an  interval  so* . .  en  iff  P  is  true  of  the  first  state  «o)»  then  we 
get  a  decidable  logic: 

Theorem:  Local  temporal  logic  with  semicolon  has  a  decision  procedure  that  is 
elementary  in  the  depth  of  the  operators  -<  and  semicolon. 

This  is  the  best  we  can  do  since  Kozen  (private  communication)  has  shown  that 
the  validity  problem  for  local  temporal  logic  with  semicolon  is  nonelementary.  The 
proofs  of  these  theorems  will  appear  in  the  full  paper. 
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§5  First-Order  Temporal  Logic  with  Intervals 


We  now  give  the  syntax  and  semantics  of  the  first-order  temporal  logic.  Expressions 
and  formulas  are  built  inductively  as  follows: 

Syntax  of  Expressions 

•  Individual  variables:  U,V, . . . 

•  Functions:  /(ex, . . . ,  e*),  where  k  >  0  and  ei, . . . ,  e*  are  expressions.  In  practice, 
we  use  functions  such  as  +  and  v  (bit-or).  Constants  like  0  and  1  are  treated  as 
sero-place  functions. 

Syntax  of  Formulas 

•  Predicates:  p(ex,...,efc),  where  k  >  0  and  £i, . . . ,  £fc  are  expressions.  Predicates 
include  <  and  other  basic  relations. 

•  Equality:  ex=e2,  where  ex  and  e2  are  expressions. 

•  Logical  connectives:  ~“w  and  wi  aw2,  where  w,  and  w2  are  formulas. 

•  Universal  quantification:  W.  w,  where  V  is  a  variable  and  to  is  a  formula. 

•  Next:  O  to,  where  to  is  a  formula. 

•  Semicolon:  wi;w2,  where  tux  and  w2  are  formulas. 

Models 

A  model  consists  of  a  set  of  states  E  =  s,t,. . .  and  domain  D  together  with 
an  interpretation  M  mapping  each  variable  V  and  interval  «o-  •  •  «n  to  some  value 
IV!  in  D.  Furthermore,  each  function  and  predicate  symbol  is  given  some 
meaning.  Each  k-  place  function  symbol  /  has  an  interpretation  At  {J/J  which  is  a 
function  mapping  k  elements  in  D  to  a  single  value: 

ACfi/1  €  [Dk  -  D) 

Interpretations  of  predicate  symbols  are  similar  but  map  to  truth  values: 

M|p!  €  ( Dk  -*  {true  Joist}) 

The  semantics  given  here  keeps  the  interpretations  of  function  and  predicate  sym¬ 
bols  independent  of  intervals  and  thus  time-invariant.  The  semantics  can  however 
be  extended  to  take  into  account  the  dynamic  behavior  of  parameters. 


Interpretation  of  Expressions  and  Formulas 

We  now  extend  the  interpretation  .M  to  arbitrary  expressions  and  formulas: 

The  interpretation  of  the  function  symbol  /  is  applied  to  the  interpretations  of 
®1>  •  •  • » 

•  Ms0...snlei=e2l  =  true  iff  M-o...«nIeil  =  Ic2fl 

•  -Mao...»»lb«'I)  =  true  iff  Mao...anlwj  =  false 

•  a  w2l  =  true  iff  -Mao... flu'll  =  IMI  =  true 

•  A4ao...a>,|VV.  «;]]==  frue  iff  <M'0...3n  M  =  true, 

for  every  interpretation  At7  that  agrees  with  M  on  the  assignments  to  all  variables, 
function  and  predicate  symbols  except  possibly  the  variable  V . 

•  Mao...aAOwl  =  true  iff  n  >  1  and  .Mai...an dtofl  =  true 

•  Aiao...»„ttwi;w2l  =  true  iff  Mao...a,|[«;1]|  —  true  and  Ma<...a„  =  true, 

for  some  t,  0  <  i  <  n. 

Satisfiability  and  validity  of  formulas  are  as  in  the  propositional  case. 

All  the  other  temporal  operators  mentioned  earlier  are  expressible  as  before. 
In  addition,  existential  quantification  can  be  introduced  as  the  dual  of  universal 
quantification: 

3V.it/  =  -’W.-’iv 


Values  in  the  Data  Domain 

It  is  sufficient  for  our  purposes  that  the  data  domain  D  contain  natural  numbers 
and  nested  finite  tuples.  Both  0  and  1  serve  as  numbers  and  bits,  with  0  standing 
for  low  voltage  and  1  standing  for  high  voltage.  The  data  domain  does  not  contain 
any  intermediate  voltages  or  “undefined”  values? 

The  following  are  sample  values: 

0,  3,  (0),  (1,2),  (),  (6, 3, 0,9) 

•The  approach  taken  in  Mosikowski  (20]  includes  undefined  values.  However,  their  omission  results  • 
in  no  loss  of  generality  and  somewhat  simplifies  the  underlying  logic. 
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We  adapt  the  convention  that  an  n-eiement  tuple  has  subscripts  ranging  from  0  on 
the  left  to  n  —  1  on  the  right. 

It  is  assumed  that  M  contains  standard  interpretations  of  function  and  predi¬ 
cate  symbols  such  as  +,  <  and  v  (bit -or).  We  also  include  conditional  expres¬ 
sions  and  conventional  operators  for  constructing,  subscripting  and  determining  the 
length  of  tuples. 

Naming  Conventions  of  Variables 

Within  an  interpretation  M,  a  variable’s  values  can  differ  from  interval  to 
interval.  For  convenience,  we  will  use  naming  conventions  to  distinguish  certain 
types  of  dynamic  behavior. 

•  General  variables:  A,  U,  X, . . . 

These  can  vary  in  value  from  interval  to  interval  and  are  also  kn<  >  as  non-local, 
path  or  interval  variables. 

•  Signal  variables:  A,N,X,... 

The  value  of  such  a  variable  in  an  interval  sq.  . .  s„  depends  solt.^  on  the  initial 
state  «o: 

Thus,  signals  can  change  from  state  to  state  and  are  a  special  case  of  general 
variables.  Signals  can  also  be  referred  to  as  local  or  state  variables. 

•  Static  variables:  a,  n,  x, . . . 

A  static  variable  a  has  a  single  interpretation  Mjja]],  independent  of  any  particular 
interval: 

All  static  variables  are  signals  and  are  often  called  global  or  frame  variables. 

In  general,  variables  such  as  A,  B  and  c  range  over  all  elements  of  the  data 
domain  D.  On  the  other  hand,  J,  K  and  n  range  over  natural  numbers.  The 
variables  X,  Y  and  z  always  equal  one  of  the  bit  values  0  and  1.  If  desired,  the 
naming  style  suggested  here  can  also  be  used  in  the  propositional  logic. 

$6  Some  First-Order  Temporal  Concepts 

Within  the  framework  of  first-order  temporal  logic,  we  can  explore  a  variety 
of  qualitative  and  quantitative  timing  issues.  The  constructs  given  below  are  useful 
for  describing  and  reasoning  about  circuits. 
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Temporal  Assignment 


The  formula  A  — *  B  is  true  for  an  interval  if  the  signal  A'a  initial  value  equals 
B' s  final  value: 

A  — *•  B  =def  Vc.  \beg{A  =  c)  3  fin(B  =  c)] 

We  call  this  temporal  assignment.  Unlike  in  conventional  programming  languages, 
it  is  perfectly  acceptable  to  have  an  arbitrary  expression  on  the  receiving  end  of  the 
arrow. 

Properties: 

<■  (A  -*  B)  D  [{(A)  -  /(B)] 

If  A  is  assigned  to  B,  then  any  time-invariant  function  application  f{A)  is  passed 
to  f(B). 

*  [(- Z  ->  Z);(-Z  -»  Z))  =>  [Z  -  Z) 

If  a  bit  signal  is  twice  complemented,  it  ends  up  with  its  original  value. 

Temporal  Equality 

Two  signals  A  and  B  are  temporally  equal  in  an  interval  if  they  have  the  same 
values  in  all  states.  This  is  written  A  m  B  and  differs  from  constructs  for  initial 
and  terminal  equality,  which  only  examine  signals’  values  at  the  extremes  of  the 
interval: 

Am  B  =def  S(A  =  L) 

Properties: 

►  \A~B\o  [/(A)  «  /(B)| 

If  A  temporally  equals  B,  then  f(A)  temporally  equals  f(B). 

h  [{A,  B )  m  (. A ',  B')}  =  {A  m  A!  a  B  m  B') 

The  pair  { A,B )  temporally  equals  {A1  ,B')  exactly  if  the  signal  A  temporally  equals 
A'  and  B  temporally  equals  B'. 

Temporal  Stability 

A  signal  A  is  stable  if  it  has  a  fixed  value.  The  notation  used  is  stb  A  and  can 
be  expressed  as  shown  below: 

stb  A  =def  36.  (A  m  b) 

It  follows  from  this  that  every  static  variable  is  stable. 


The  Temporal  Function  len 

Quantitative  timing  properties  are  handled  by  a  0-place  temporal  function  len 
whose  value  for  any  interval  So. . .  an  equals  the  length  n: 

•W«0...«nttfenE  =  * 


Examples 


Concept 

The  signal  A  is  stable  and  the  interval  has  at  least  m  +  n  units 
In  some  subinterval  of  length  >  m,  X  is  stable 


Formula 

stb  A  a  len  >  m  +  n 
<^([ien  >  m]  a  stb  X 


Blocking 

It  is  useful  to  specify  that  as  long  as  a  signal  A  remains  stable,  so  does  another 
signal  B.  We  say  that  A  blocks  B  and  write  this  as  A  blk  B.  The  predicate  blk  can 
be  expressed  using  the  temporal  formula 

A  blk  B  =def  C0(st6  A  ^  stb  B) 

The  predicate  A  blk  B  can  be  extended  to  allow  for  quantitative  timing.  When 
describing  the  behavior  of  digital  circuits,  it  is  often  useful  to  express  that  in  any 
initial  interval  where  A  remains  stable  up  to  within  the  last  m  units  of  time,  B  is 
stable  throughout: 

AblkmB  =def  D3[(st6  A;  len  <  m)  ^  stb  B\ 

This  modification  has  utility  in  situations  where  B  is  known  to  be  slow  in  responding 
to  changes  in  A. 

Initial  and  Terminal  Stability 

The  predicate  istbm  A  is  true  for  an  interval  • .  sn  if  the  signal  A  is  stable  in 
the  initial  states  So-  •  -<m'  The  next  definition  has  this  meaning: 

istbm  A  =def  ®(stbA  a  len  =  m) 


Note  that  the  formula  is  false  on  an  interval  of  length  less  than  m.  By  analogy, 
tstbm  A  is  true  if  A  ends  up  stable  for  at  least  m  units  of  time. 


Rising  and  Falling  Signals 

A  rising  bit  signal  can  be  described  by  the  predicate  fX: 

IX  [(X  »  0);  skip-,  (X  «  1)] 

This  says  that  X  is  0  for  a  while  and  then  jumps  to  1.  The  gap  of  quantum  length 
represented  by  the  test  skip  is  necessary  here  since  a  signal  cannot  be  0  and  1  at 
the  same  instant.  Falling  signals  are  analogously  described  by  the  construct  [X : 

IX  =def  [(X  «  1);  skip;  (X  «  0)] 

These  operators  can  be  extended  to  include  quantitative  information  specifying 
minimum  periods  of  stability  before  and  after  the  transitions.  For  example,  timing 
details  can  be  added  to  the  operator 

|m,nX  =def  [(X  ~0  a  len  >  m);  skip ;  (X  1  a  len  >  n)] 

This  can  also  be  expressed  as  shown  below: 

N  Tm,"X  =  (tX  a  istbmX  a  tstbnX) 

Thus,  the  extended  form  of  |  can  be  reduced  to  the  original  one  with  separate 
details  concerning  initial  and  terminal  stability. 

A  negative  pulse  with  quantitative  information  can  be  described  as  shown 
below: 

||,-m'nX  = 

[(X  1  a  len  >  l );  skip; 

(X  0  a  len  >  m);  skip;  (Xssl  a  len  >  n)] 

These  constructs  can  be  further  modified  to  provide  for  noninstantaneous  rise 
and  fall  times. 

Smoothness 

A  bit  signal  X  is  smooth  if  it  is  either  stable  or  has  a  single  transition.  The 
following  illustrates  one  way  to  express  smoothness: 

8m  X  =def  (stbX  v  fX  v  jX) 

Since  digital  devices  generally  require  clock  inputs  to  be  smooth,  it  is  sometimes 
important  to  ensure  that  a  signal  has  this  property. 
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§7  Delays  and  Combinational  Elements 

Delay  is  a  fundamental  phenomenon  in  dynamic  systems  and  an  examination 
of  it  touches  upon  basic  issues  ranging  from  feedback  and  parallelism  to  implemen¬ 
tation  and  internal  device  states.  Such  concepts  also  come  into  play  in  descriptions 
of  more  complicated  devices.  In  addition,  a  key  design  decision  in  building  any 
hardware  simulator  centers  around  the  treatment  of  delay  (see,  for  example,  Breuer 
and  Friedman  [5]).  For  these  and  other  reasons,  it  is  worth  taking  a  detailed  look 
at  various  models  of  signal  propagation. 

Unit  Delay 

One  of  the  simplest  and  most  important  types  of  delay  elements  can  modeled 
as  having  the  following  structure: 


Here  A  is  the  input  signal  and  B  is  the  associated  output.  The  following 
statement  uses  intervals  to  characterize  the  desired  behavior: 

In  every  subinterval  of  length  exactly  one  unit,  the  initial  value  of 
the  input  A  equals  the  final  value  of  the  output  B. 

The  next  predicate  del  formalizes  this: 

A  del  B  =def  B[(/en  =  1)  3  [A  ->  B)] 


Property: 

(A  del  A)  =  stb  A 

A  signal  is  fed  back  to  itself  iff  it  is  stable. 

Transport  Delay 

It  is  natural  to  extend  the  predicate  del  to  cover  delays  over  m-unit  intervals: 
A  delm  B  =d«f  0(fen  =  m  3  [A  — * *•  B]) 

Breuer  and  Friedman  [5]  refer  to  this  as  transport  delay . 
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Properties: 


►  A  del0  B  =  AezB 

Zero  delay  is  equivalent  to  temporal  equality. 

f  {A  dclm  B  a  B  deln  C)  3  A  delm+n  C 
Delay  is  cumulative. 

»=  (Al,A2)  delm  (Bl,B2)  =  (A1  delm  B1  a  A2  delm  B2) 

Delay  between  purs  is  equivalent  to  component-wise  delay.  This  generalizes  to 
tuples  of  arbitrary  length. 

Functional  Delay 

Often,  one  signal  receives  a  delayed  function  of  another.  The  following  ex¬ 
amples  illustrate  this  and  are  based  on  the  predicate  del  although  other  delay  models 
can  be  used. 

Examples 


Concept 

X  keeps  on  being  complemented 
B  either  accepts  A  or  itself,  depending  on  X 


Formula 

(-X)  del  X 

[if  ( X  =  1)  then  A  else  B]  del  B 


Properties: 

N  A  delm  B  f(A)  del™  f(B) 

If  A  has  a  delay  to  B  then  it  follows  that  f(A)  is  delayed  to  f(B). 

*  [/(A)  delm  B  a  g{B)  deln  C)  o  g(/(A))  delm+n  C 
Composition  applies. 

*  [(-X)  delm  Y  a  (-r)  deln  Z]  3  X  delm+n  Z 
Two  inverters  cancel. 

►  {I  +  1)  del  I  [{I  +  len) I] 

If  the  variable  I  keeps  incrementing  by  1,  its  final  value  is  greater  than  its  initial 
value  by  the  length  of  the  interval. 
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Delay  Based  on  Shift  Register 

A  shift  register  R  storing  m  +  1  values  can  be  specified  as  follows: 

R\0]  del  R[l)  a  •  •  *  a  R[m  —  1]  del  i?[m] 

Over  each  unit  of  time,  the  contents  of  R  shift  right  by  one  element.  That  is, 
the  value  of  i?[0]  is  passed  to  i?[lj  and  so  forth.  This  description  is  more  formally 
expressed  by  means  of  quantification: 

V*  €  (0,  m  -  1].  (#[*]  del  R[i  +  1)) 

The  next  formula  has  the  same  meaning  but  is  more  concise: 

J?[0tom  —  1]  del  J?[l  tom] 

The  following  property  shows  how  to  achieve  an  m-unit  delay  by  means  of  such 
a  shift  register: 

*  i?[0  to  m—  1]  delR[  1  to  mj  D  i?[0jdc/m/?{m)  (*) 

This  suggests  an  implementation  of  A  delm  B  of  the  form  A  shdel #  B: 

A  shdel %  B  =d*f  ( A  s=»  i?[0j  a  J?[m]  B  a  -R[0u>m  —  1]  del  J?[l  tom]) 

Here,  the  yalue  of  A  is  fed  into  J?[0]  and  B  receives  the  value  JR(m].  The  correctness 
of  this  implementation  is  given  by  the  following  property: 

►  A  shdel  %  B  d  Adelm  B 

We  can  localise  R  in  the  formula  A  shdel B  by  defining  a  variant  A  shdel m  B 
which  existentially  quantifies  over  R: 

A  shdelm  B  =d.r  3 R.  {A  shdel%  B) 

The  register  is  assumed  to  exist  without  being  externally  visible  to  an  observer. 
The  quantifier’s  effect  on  scoping  is  similar  to  that  of  a  beptn-block  in  a  conven¬ 
tional  block-structured  programming  language.  We  call  A  shdelm  B  an  external 
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specification  of  the  implementation.  In  fact,  this  is  logically  equivalent  to  the  basic 
delay  predicate  A  delm  B  as  the  next  property  demonstrates: 

►  AahdelmB  =  AdelmB 

The  proof  that  shdel  implies  del  follows  from  the  implementation  theorem  (*) 
given  above.  The  converse  requires  demonstrating  that  some  R  exists.  Perhaps  the 
easiest  way  to  do  this  is  by  direct  construction.  At  each  instant  of  time,  the  values 
of  the  m  + 1  elements  of  R  can  be  those  of  the  next  m  + 1  values  of  3  in  appropriate 
order: 

J2[*J  «  Om-,3,  for  0  <  t  <  m 

The  output  value  J?[m]  always  equals  the  expression  O0  3,  which  is  defined  to  be 
3’s  current  value.  Similarly,  3(0)  always  equals  Om3,  that  is,  the  value  3  will 
have  m  units  later.  This  technique  works  even  if  the  interval  has  length  less  than 
m. 


Variable  Transport  Delay 

A  batch  of  delay  elements  may  have  varying  characteristics  although  each 
individual  device  is  rather  fixed  in  its  timing  behavior.  The  predicate  A  vardelm,n  B 
specifies  that  A's  value  is  propagated  to  3  by  transport  delay  with  some  uncertain 
factor  between  m  and  n: 

A  vardelm,n  B  =def  3»  €  (m, «].  {A  del*  B) 


Delay  with  Sampling 

Digital  circuits  often  require  that  inputs  remain  stable  and  be  sampled  for  some 
minimum  amount  of  time  in  order  to  ensure  proper  device  operation.  The  delay 
model  A  tadel  B  has  this  characteristic: 

A  eadelm  B  =a«r  0{(f tb  A  a  len  >  m)  fin(A  —  B) J 

Here  the  input  A  must  be  stable  at  least  m  units  of  time  for  the  output  3  to  equal 

A.  Behavior  during  changes  in  A  is  left  unspecified.  The  properties  below  illustrate 
two  other  ways  of  expressing  tadel.  We  present  them  to  demonstrate  other  possible 
styles: 

►  A$adelmB  ==  Q(t«<6mA  3  fin(A  =  B)) 

b  A  eadelm  B  sa  [Utbm  A  beg{A  =  3)1 
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Properties: 


h  A  delm  B  o  A  sadelm  B 

Basie  delay  implements  sampling  delay. 

h  AtadelmB  =  (t8tbm  A  [bcg(A  =  B)  a  A  blk  3j) 

Once  the  device  stabilizes,  the  input  A  blocks  the  output  B. 

The  predicate  aadtl  can  be  extended  to  associate  some  factor  with  the  blocking 
of  B  by  A: 

A  sadelm,n  B  ==def  (tstbmA  [beg(A  =  B)  a  A  blkn  3j) 

In  a  sense,  m  is  the  maximum  delay  and  n  is  the  minimum  delay. 


An  Equivalent  Delay  Model  with  an  Internal  State 


A  related  delay  model  AatdtV£,n  B  is  based  on  a  bit  flag  X  that  is  set  to  1  after 
the  input  A  has  been  held  stable  m  units.  Whenever  X  is  1,  the  input  A  equals  the 
output  B  and  blocks  X,  which  in  turn  blocks  B  by  the  factor  n: 

A  8tdcl%n  B  =sd,f 

0([s*6A  a  len  >  m]  ^  fin[X  —  1)) 
a  0(6eg(X  =  1)  =>  [beg{A  =  B)  a  AblkX  a  X  blkn  B)) 


In  the  manner  described  earlier,  we  internalize  X  by  existentially  quantifying  over 
it: 

A  stdelm,n  B  ==  3X.  {A  atdel%>n  B) 

This  external  form  is  in  fact  logically  equivalent  to  A  tadelm,n  3: 

t  A  $tdelm,n  B  =  A  $adelm'n  B 


The  following  construction  for  X  can  be  used: 

X  «  if  [beg{A  =  3)  a  A  blkn  3]  then  1  else  0 


There  arc  a  variety  of  specifications  that  use  different  internal  signals  such  as 
X  and  yet  are  externally  equivalent. 


Delay  with  Separate  Propagation  Times  for  0  and  1 

Sometimes  it  is  important  to  distinguish  between  the  propagation  times  for  0 
and  1.  The  following  variant  of  tadtl  does  this  by  having  separate  timing  values 
for  the  two  cases: 

A  sadtlOlm,n  B  =d.f 

0((A  0  a  Itn  >  mj  3  fin(A  —  B)) 

A  0([A  »1  a  Itn  >  n]  ^  fin(A  =  Z?)) 

Smooth  Delay  Elements 

It  is  possible  to  specify  that  between  times  when  the  delay  element  is  stable,  if 
the  input  changes  smoothly,  then  so  does  the  output.  We  call  such  a  device  a  smooth 
delay  element.  This  type  of  delay  has  utility  in  systems  which  must  propagate  clock 
signals  without  distortion.  Here  is  a  predicate  based  on  the  earlier  specification 
stdtl: 

A  smdelx'n  B  =d«f 
A  stdelx'n  B 

a  0([6ey(X  =  1)  a  fin(X  —  1)  a  smA]  ^  smB) 

The  external  form  quantifies  over  X : 

A  smdelm’n  B  =d«f  3 X .  {A  smdel%’n  B) 


Delay  with  Tolerance  to  Noise 

Sometimes  it  is  important  to  consider  the  affects  of  transient  noise  during  signal 
changes.  A  signal  A  is  almost  smooth  with  factor  /  if  A  is  continuously  stable  all 
but  at  most  l  contiguous  units  of  time: 

stb  A ;  (Itn  <  l)‘,  stb  A 

The  delay  model  toldtl  is  similar  to  emdtl  but  has  an  additional  timing  coefficient  l 
for  showing  how  almost  smooth  input  changes  result  in  smooth  output  transitions: 

A  toldelx,n,t  B  3dsf 
A  stdtVx'n  B 

a  0[(6eg(Jf  =f  1)  a  fin(X  =»  1)  a  [ttb  A;  (Itn  S  /);  stb  A])  o  smB ] 
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FVom  this  we  can  obtain  the  external  form 

A  toldelm>n-1  B 

The  predicate  smdel  is  a  special  case  of  toldel  with  a  noise  tolerance  of  1  time  unit: 
►  A  8mdclrn’n  B  =  Atoldelm'nA  B 

Gates  with  Input  and  Output  Delays 

One  might  specify  an  and-gate  with  both  input  and  output  delays  as  follows: 

(X,  X')eaandm,nY  3  Z,  Z' .[X  sadtlm  Z  a  X'saderZ'  a(Za  Z')8adelnY] 

Here  a  delay  exists  from  the  input  X  to  an  internal  signal  Z  and  another  delay 
occurs  from  X'  to  Z' .  The  bit-and  of  Z  and  Z'  is  propagated  to  Y.  The  input 
delays  are  given  by  m  and  the  output  one  by  n.  If  we  choose  to  ignore  input  delays, 
the  model  reduces  to  a  single  occurrence  of  sadel: 

h  (X,  X1)  saand0,n  s=  (X  a  X')  eadel"  Y 

If  the  internal  propagation  is  modeled  by  transport  delay,  things  are  even 
simpler.  Here  is  an  and-gate  specified  in  this  manner: 

(X,X')  tandm’n  Y  =def  3  Z,  Z'.  [X  dtlm  Z  a  X'  delm  Z'  a  (Z  a  Z')  deln  Y] 
The  predicate  tand  simplifies  even  if  internal  input  delay  is  not  ignored: 

»  (X,X')  tandm’n  Y  =  (X  a  X')  delm+n  Y 

§8  Simple  Latch 

A  latch  is  a  simple  memory  element  for  storing  and  maintaining  a  single  bit  of 
data.  The  two  inputs  S  and  R  determine  what  value  is  stored  with  S  standing  for 
Set  and  R  standing  for  Reeet.  When  the  latch  is  stable,  the  outputs  Q  and  <5  are 
complements.  Note  that  the  bar  in  “<?”  is  part  of  the  name  and  not  an  operator. 
Such  elements  are  among  the  simplest  storage  devices  that  can  be  constructed 


out  of  TTL  gates  and  provide  a  basis  for  building  counters  and  other  sequential 
components.  Here  is  one  way  to  specify  such  a  latch: 

(S,R)latehm‘n(Q,V) 

S[(5  «  0  a  R  »  1  a  ten  >  m) 

=  0  a  3  =  1)  a  S  blkn  <Q,1$))] 
a  S[(-Sl  «  1  a  R  «  0  a  len  >  m) 

~>(beg[Q  =  1  a  ^  =  0)  a  R  blkn  <Q,^»] 

For  example,  the  specification  states  that  after  S  is  1  and  R  is  0  for  at  least 
m  units  of  time,  Q  equals  1,  equals  0  and  R  blocks  both  with  factor  n.  That 
is,  the  outputs  are  stable  as  long  as  R  remains  “inactive”  at  0,  independent  of  S' a 
behavior.  A  logically  equivalent  specification  based  on  an  internal  state  is  given  in 
the  full  paper. 

A  latch  can  be  constructed  out  of  two  nor-gates  that  feed  back  to  one  another: 
h  [~'(R  v  8adelm,n  Q  a  -,(S  v  Q)  8adelm,n  a  n  >  l] 

=  (Q,T5)} 

The  gates’  blocking  factor  n  must  be  nonzero  in  order  to  achieve  a  feedback  loop 
that  maintains  a  stored  value. 

§9  Some  Variants  of  Temporal  Logic 

There  are  a  variety  of  operators  and  concepts  that  can  be  added  to  the  temporal 
logic.  We  discuss  a  few  here. 

Iteration 

The  logic  can  be  generalized  to  include  iteration.  In  the  proposition  case,  this 
involves  adding  the  Kleene  closure  of  semicolon.  This  does  not  affect  our  basic 
complexity  results.  Loop  operators  such  as  while  can  be  expressed  by  means  of  such 
a  construct. 

Ignoring  Intervals 

The  concepts  presented  here  can  generally  be  expressed  in  linear-time  temporal 
logic  [18]  with  O,  □,  O  and  U.  The  satisfiability  of  propositional  formulas  for  such 
a  logic  is  PSPACE- complete  [28].  However,  the  conciseness  and  clarity  provided  by 
semicolon  and  other  interval-dependent  constructs  are  often  lost. 


Infinite  Intervals 


In  the  semantics  already  given,  all  intervals  are  restricted  to  being  finite.  It  can 
however  be  advantageous  to  consider  infinite  intervals  arising  out  of  nonterminating 
computations.  The  inclusion  of  such  intervals  does  not  alter  the  complexity  of 
satisfiability. 

Projection 

Sometimes  it  is  desirable  to  examine  to  behavior  of  a  device  at  certain  points 
in  time  and  ignore  all  intermediate  states.  This  can  be  done  using  the  notion 
of  temporal  projection.  The  formula  ti>i  n  u/j  in  an  interval  forms  a  subinterval 
consisting  of  those  states  where  ti>i  is  true  and  then  determines  the  value  of  u/2  in 
this  subinterval: 

Jwi  II  tnjJ  = 

where  to. . .  tm  is  the  sequence  of  the  states  in  so*  •  •  *n  that  satisfy  u/j: 

.MtiJwiJ  =  true,  for  0  <  i  <  m 

Note  that  to...tm  need  not  be  a  contiguous  subsequence  of  «o- . .  a„.  If  no  states 
can  be  found,  the  projection  is  false.  In  the  semantics  given  here,  the  formula  twl 
examines  states,  not  intervals.  For  example,  the  formula 

( X=  l)n«t6A 

is  true  is  A  has  a  constant  value  throughout  the  states  where  X  equals  1.  Variables 
like  X  act  as  metrics  for  measuring  time  and  facilitate  different  levels  of  atomicity. 
If  two  parts  of  a  system  are  running  as  different  rates,  metrics  can  be  constructed 
to  project  away  the  asynchrony.  Other  definitions  of  projection  are  also  possible. 

Additional  Modifications 

Further  possible  extensions  include  quantification  over  propositional  variables 
as  well  as  interval-oriented  temporal  logics  based  on  branching  or  probabilistic 
models  of  time. 

§10  Related  Work 

We  now  mention  some  related  research  on  the  semantics  of  hardware.  Gordon’s 
work  [8]  on  register- transfer  systems  uses  a  denotational  semantics  with  partial 


values  to  provide  a  concise  means  for  reasoning  about  clocking,  feedback,  im^ruction- 
set  implementation  and  bus  communication.  Talantsev  [30]  as  well  as  Betancourt 
and  McCluskey  [3]  examine  qualitative  signal  transition  concepts  corresponding  to 
fX  and  |X.  Wagner  [31]  also  uses  such  constructs  as  fX  in  a  semi- automated 
proof  development  system  for  reasoning  about  signal  transitions  and  register  trans¬ 
fer  behavior.  Malachi  and  Owicki  [16]  utilize  a  temporal  logic  to  model  self-timed 
digital  systems  by  giving  a  set  of  axioms.  Bochmann  [4]  uses  a  linear-time  temporal 
logic  to  describe  and  verify  properties  of  an  arbiter,  a  device  for  regulating  access 
to  shared  resources. 


Leinwand  and  Lamdan  [14]  present  a  type  of  Boolean  algebra  for  modeling 
signal  transitions.  Applications  include  systems  with  feedback  and  critical  timing 
constraints.  Patterson  [23]  examines  the  verification  of  firmware  from  the  standpoint 
of  sequential  programming.  Meinen  [19]  discusses  a  semantics  of  register  transfer 
behavior.  McWilliams  [15]  develops  computational  techniques  for  determining  tim¬ 
ing  constraints  in  hardware.  Eveking  [7]  uses  predicate  calculus  with  explicit  time 
variables  to  explore  verification  in  the  hardware  specification  language  Conlan. 

A  number  of  people  have  used  temporal  logics  to  describe  computer  communica¬ 
tion  protocols  [9,13,26].  Bernstein  and  Harter  [2]  augment  linear- time  temporal  logic 
with  a  construct  for  expressing  that  one  event  is  followed  by  another  within  some 
specified  time  range.  This  facilitates  the  treatment  of  various  quantitative  timing 
issues.  Recently  Schwartz  et  al.  [27]  have  introduced  a  temporal  logic  for  reasoning 
about  intervals.  They  distinguish  intervals  from  propositions. 

For  our  purposes,  much  of  this  work  either  has  difficulties  in  treating  quantita¬ 
tive  timing,  lacks  rigor,  is  unintuitive  or  does  not  easily  generalize.  In  particular,  we 
believe  that  in  many  papers  on  applications  of  temporal  logic,  various  basic  aspects 
of  discrete-time  systems  have  be  neglected  in  favor  of  more  “glamorous”  protocols 
and  distributed  algorithms.  Furthermore,  the  computational  models  used  generally 
interleave  the  executions  of  different  processes.  In  the  treatment  of  digital  circuits, 
this  approach  seems  inappropriate. 

It  has  been  argued  by  some  that  temporal  logic  is  simply  a  subset  of  dynamic 
logic.  However,  once  interval- dependent  constructs  are  added,  this  is  no  longer  the 
case.  Operators  such  as  semicolon  and  yields  are  not  directly  expressible  in  dynamic 
logic.  Furthermore,  the  descriptive  styles  used  in  dynamic  logic  and  temporal  logic 
differ  rather  greatly.  Dynamic  logic  and  process  logic  stress  the  interaction  between 
programs  and  propositions.  Temporal  logic  is  expressive  enough  to  conveniently  and 
directly  specify  a  variety  of  useful  programs.  Our  current  view  is  that  the  addition 
of  program  variables  would  be  redundant. 
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§11  Conclusion 


Standard  temporal  logics  and  other  such  notations  are  not  designed  to  con¬ 
cisely  handle  the  kinds  of  quantitative  timing  properties  and  signal  transitions  that 
occur  in  the  examples  considered.  Temporal  intervals  provide  a  unifying  means  for 
presenting  the  various  features.  Even  without  intervals,  some  of  the  dynamic  con¬ 
cepts  discussed  here  have  utility  in  specifications  and  properties  about  discrete-time 
systems. 

Moszkowski  [21]  uses  the  logic  lor  describing  and  comparing  a  variety  of  digi¬ 
tal  devices.  Manna  and  Moszkowski  [17]  show  how  to  program  directly  in  tem¬ 
poral  logic.  Future  work  will  explore  microprocessors,  buses  and  protocols,  DMA, 
firmware  and  instruction  sets,  as  well  as  the  combined  semantics  of  hardware  and 
software.  We  also  plan  to  examine  compilers  and  other  systems  that  transmit  and 
manipulate  commands  and  programs. 
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